Actually, the underlying assumption of this paper is that major networks
already have a large global backbone that need to interconnect in
n-regions. The choice between Direct Circuits and Colo-based cross connects
is discussed and documented with costs and tradeoffs. Surviving a major
attack was not the focus of the paper...but...
If the major networks in questions are long-distance companies and local
phone companies, then they are already interconnected in N places. For one
reason or another, at the present time they are simply not running IP at
those points. It is equivalent to having networks in the common facilities
that choose not to interconnect.
When I did this research I asked ISPs how many Exchange Points they felt
were needed in a region. Many said one was sufficient, that they were
resilient across multiple exchange points and transit relationships, and
preferred to engineer their own diversity separate from regional exchanges.
Very few ISPs in reality have any physical divercity.
A bunch said that two was the right number, each with different operating
procedures, geographic locations, providers of fiber, etc. , as different
as possible. Folks seemed unanimous about there not being more than two
IXes in a region, that to do so would splinter the peering population.
Security is always considered a waste of money. It is nothing new. The
reason for that is that it is impossible to see the benefits when there is
no problem.
Fine - we both agree that no transport provider is entirely protected from
physical tampering if its fiber travels through insecure passageways. Note
that some transport capacity into an IX doesn't necessarily travel along
the same path as the metro providers, particularly those IXes located
outside a metro region. There are also a multitude of paths, proportional
to the # of providers still around in the metro area, that provide
alternative paths into the IX. Within an IX therefore is a concentration of
alternative providers, and these alternative providers can be used as
needed in the event of a path cut.
They are using the same paths to get into the buildings. If they are not
using the same paths exactly, their paths are close enough to each other
within N meters from the building.
> > 2) It is faster to repair physical disruptions at fewer points, leveraging
> > cutovers to alternative providers present in the collocation IX model, as
> > opposed to the Direct Circuit model where provisioning additional
> > capacities to many end points may take days or months.
>
>This again is great in theory, unless you are talking about someone who
>is planning on taking out the IX not accidently, but deliberately. To
>illustrate this, one just needs to recall the infamous fiber cut in McLean
>in 1999 when a backhoe not just cut Worldcom and Level(3) circuits, but
>somehow let a cement truck to pour cement into Verizon's manhole that was
>used by Level(3) and Worldcom.
Terrorists in cement trucks?
No, but since that caused a multi-day outages for certain customers due to a
single point of failure, I am sure someone can appreciate the outage that
can be caused by detonating a hundred killograms of high explosives inside a
collo facility.
Again, it seems more likely and more technically effective to attack
internally than physically. Focus again here on the cost/benefit analysis
from both the provider and disrupter perspective and you will see what I
mean.
Easily accessible brute-force *always* wins.
Any chain is not stronger than its weakest link and concentrated
infrastructure was, is and always will be, the weakest link if one can mount
an attack using bruce-force.
Neither the data centers, nor COs nor exchange points that are vital so far
had been designed in a way that they could withstand a direct physical
attack even by an individual with a handgun, not to mention anyone carrying
explosives. When that problem gets solved, we can concentrate on attracks
against IP infrastructure.
Alex